[strongSwan] ANNOUNCE: strongswan-4.5.2rc1 released

Andreas Steffen andreas.steffen at strongswan.org
Mon May 9 17:18:01 CEST 2011

the upcoming strongSwan 4.5.2 release is nearing completion.
As a preview a first release candidate has been made available
on our download site. Then new release offers the following
new features:

- The *whitelist* plugin for the IKEv2 daemon maintains an
   in-memory identity whitelist. Any connection attempt of peers
   not whitelisted will get rejected. The 'ipsec whitelist' utility
   provides a simple command line frontend for whitelist administration.


- The *duplicheck* plugin provides a specialized form of duplicate
   checking, doing a liveness check on the old SA and optionally notify
   a third party application about detected duplicates.


- The *coupling* plugin permanently couples two or more devices by
   limiting authentication to previously used certificates.


- Duncan Salerno contributed the *eap-sim-pcsc* plugin implementing
   a pcsc-lite based SIM card backend.

- The *eap-peap3 plugin implements Microsoft's EAP PEAPv0 protocol.
   Interoperates successfully with a FreeRADIUS server and Windows 7
   Agile VPN clients.


- In the case that the peer config and child config don't have the
   same name (usually in SQL database defined connections),

     ipsec up|route <peer config>

   starts|routes all associated child configs and

     ipsec up|route <child config>

   only starts|routes the specific child config.

- The IKEv2 daemon charon rereads strongswan.conf on SIGHUP and
   instructs  all plugins to reload. Currently only the *eap-radius*
   and the *attr* plugins support configuration reloading.

- Added userland support to the IKEv2 daemon for Extended Sequence
   Numbers support coming with Linux 2.6.39. To enable ESN on a
   connection, add the 'esn' keyword to the proposal. The default
   proposal uses 32-bit sequence numbers only ('noesn'), and the same
   value is used if no ESN mode is specified. To negotiate ESN support
   with the peer, include both, e.g.


- In addition to ESN, Linux 2.6.39 gained support for replay windows
   larger than 32 packets. The new global strongswan.conf option


   configures the size of the replay window, in packets.

- Linux 2.6.38 introduced the AF_ALG Crypto API which makes the
   crypto algorithms of the kernel available in userland. We have
   created a number of example scenario showing the use of the
   *af-alg* plugin for IKEv1


   and IKEv2


Please test the release candidate and give us a feedback on any
encountered problems. ETA for the stable release is in about 10 days.

Kind regards


Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Users mailing list